Krister Knutars

hide

RSS

Fri, 18 Sep 2009 01:38:35 GMT

hide

e107.org : News

RSS

Sun, 05 Sep 2010 10:00:51 GMT

More Acess Denied details

I would like to give you some more details and hopefully speed up the 'next stable release' process.

After the release of 0.7.24 rc1 I'm overloaded with false positives due to a missed point of the upgrade instructions (see previous news). This slows down the process of discovering of not covered yet (if any) issues related with the latest e-token security protection.

The case is simple, we are able to stop those false positives with one line of code. However, this will solve our (core developer and support team) problems only. I'll give you some extra info which should help you identify us as 'good guys'

During e-token test, I found very bad issue - it was there forever. In few simple words, if you use default e107.htaccess (renamed to .htaccess) your site will do something like 10 to 20 extra sql queries (depending on your site configuration) plus of course additional php parsing processor job of your server per missing image/css/javascript file reference.
A simple calculation says: if your average site sql requests count is 20, you have 4 missing images, you end up with 100 sql queries per page (instead 20). You should understand now the issue is really bad.

Most of "Access denied" issues were side effect of the above. It's really easy for me to 'mask' the problem as solved, but I hope you understand now why I don't want to do this.
We didn't invented upgrade instructions to 'keep you' busy, so please follow them, give us maximum information so that we'll be able to reproduce your problems, fix them and go forth. A whole 0.8 branch is waiting for us for the final work.

I wish to use the moment and add big THANKS to all community members who helped us fighting the latest issues.

Sat, 28 Aug 2010 06:47:22 -0500

Release Candidates

0.7.24 rc1

Thu, 26 Aug 2010 11:47:11 -0500

0.7.23 Released

0.7.23 Release with security fixes and enhancements.

Fri, 20 Aug 2010 14:00:11 -0500

So where to from here?

There has been a lot of speculation about the future direction of e107 recently, and its time to put that to rest and move forward.

The dev team has spent quite a long time (weeks, if not months) discussing all aspects of e107 - the code, the community, the organisation, to try and establish a coherent plan for the future. Some of the results have been around for a while - the establishment of jira as an issue tracking system, some draft coding standards and guidance that we're refining before making public, better code documentation and so on. Overall the objective is to have a much more professionally run project.

We recognise that some things have been far from perfect in the past - sometimes simply due to lack of time; sometimes for other reasons. We're trying to get it right now.

It is also sad to lose McFly's input - hopefully not entirely, since he's still going to be around. As a long-term contributor to e107, its hardly surprising that he needs to concentrate on other things for a while.

Moving on, there are a number of things planned:

1. For 0.7, as well as continuing to maintain the code, we will be adding a few enhancements. These are mostly ones which the dev team already have available, or can release with minimal work, since we don't want to deflect too much effort from getting 0.8 on the way. Various members of the community are also working on enhancements which we will consider.

2. For 0.8, the intention is to move to a release as soon as possible. Part of the delay was due to a realisation that some of the structure was wrong, and is having to be redesigned. This is nearly done, and you should start seeing code changes in SVN soon.
We have a good idea of the final structure we need, and 0.8 is going to be the 'bridge' between old and new in order to maintain a reasonable degree of backward compatibility and provide an upgrade path.

3. On the organisational side, Cameron is going to be the overall project leader (much as jalist was in the early days), backed up by SecretR and myself as the 'old hands'. We already have a capable support team under the leadership of 2dopey, which will continue. The dev team is to be strengthened - as well as existing devs Bugrain and nlStart we have some other community members to be approached. One area where we'd particularly like some input is on the security side. We've also had a tremendous number of offers of talented assistance from all round the world. Not just on the coding side, but also in areas such as marketing and public relations.
So over the next few weeks, we're going to review all these offers, and put together a team to take e107 forward.

More to come - so watch this space.

Thu, 05 Aug 2010 18:11:05 -0500

I'll be in my bunk

This has been something I have been considering for quite some time and I feel the time is finally here.
As of today, I am no longer developing for e107.

The main reason for the decision is due to priorities changing. Other things in my life (work, family, fire department, etc) just seem to be taking up most of my free time and I can't devote the time to e107. It also seems that the fire has gone out for me, I just don't seem to have the desire to open up the code like I used to.

For all the people that I have promised code for and for all of the work I have done that is incomplete, I am sorry. I had intended to tie up some loose ends before leaving, but it just didn't happen.

I do not know what the future hold for e107, but I wish it the best. I will still be hanging out #e107 during the day, so I'll still be seeing some of you.

I want to thank all of the people I have worked with on e107...especially jalist. He graciously accepted code from a complete php newbie and allowed me to get involved with the project. I have totally enjoyed my experience with e107.

Now for some fun, for those of you that understand the reference of the news title...discuss

Top three Firefly episodes:
1) Out of Gas
2) Objects in Space
3) Jaynestown

Top 3 Firefly characters (not part of the crew):
1) Jubal Early
2) Stitch Hessian
3) Adelei Niska

Mon, 02 Aug 2010 09:17:29 -0500

e107 community under attack - effective solutions

I decided to write this post because of the large number of forum help requests and accusations against e107 system. Although support team has tried to consolidate the discussion in low number of forum threads (see septor's Consolidated Flood Attack Information) people are still opening new threads which is only increasing the panic.

I often read angry posts of people who are blaming e107 because it can't handle the situation. This is wrong. You would never blame your medical man why he can't invent (develop!) a medicine against your current disease. Don't blame e107 because it's installed on servers which can't handle current bot attacks. Don't search e107/PHP based solution to fight the problem. This won't help.

I spent time to write a detailed information on my blog about server tools which will help to stop attacking bots before they reach your PHP engine. They also should help for finding rootkits already installed on the attacked servers. The information should be used by Dedicated server owners, but it could be pointed to your shared hosting provider if needed. The information I'm providing is based on my experience - number of attacked servers were able to come back in normal working state (no CPU overload, large number of FW blocked IPs).
For those server owners not familiar with server administration, I posted link to a company which offers low cost server configuration service. If you are not experienced enough, you really should look up for a security professionals.
I'm hardly convinced this is the only way we stop the attack against our community.

The whole article - Secure server configuration - stop the madness
Good Luck!

Sat, 10 Jul 2010 04:34:30 -0500

E107 sites under attack

Over the past couple of days a lot of e107-based sites (including e107.org) have been under attack from two angles:

1. Repeated accesses of contact.php. The objective of these attacks was to compromise sites via a vulnerability which existed in older e107 versions.

This vulnerability is fixed (as far as we know) in 0.7.22 - so if you haven't already upgraded, do it yesterday!

If you already have 0.7.22 installed, the attack simply loads up the server, and becomes a DDOS. It shouldn't be able to gain access to your site; but will slow it down (or seize it up).

If you are running earlier versions of e107, the hackers will most likely have gained access and uploaded various files. These include a Perl script which does all sorts of nasty things. So upgrade your site, and check carefully for strange files - delete any which shouldn't be there. This thread lists the files one user found. File Inspector will also help here.

2. Repeated accesses of the file 'help_us.php' (which they expect to be uploaded as part of the previous attack). Usually this will trigger a 'page not found' error. Typically this is the standard e107 error page, which does some database access, again slowing down the server. Thus this is also a DDOS attack.

In most cases (assuming you are running 0.7.22) your host is the best person to help with these attacks, by putting in server level blocks on the relevant IP addresses. (There are a large number of addresses involved - most likely a botnet of some sort).

There are a number of forum threads on this topic; things you can do to reduce the effect of the attacks (but not stop them) include:

1. If you're not using the contact form, delete contact.php
2. If you are using the contact form, rename it, and update the link.
3. Put in a 'pure HTML' error page for '404' (page not found) errors

While we believe that 0.7.22 blocked these attacks, we are aware of a few 0.7.22 sites that have been compromised. It seems likely that a different attack vector was used in these cases - most likely via a plugin. Or possibly via other means, such as a compromised FTP password. So please check server logs etc to try and identify how access was gained.

Mon, 07 Jun 2010 15:13:27 -0500

0.7.22 Released

As promised, here's another release

This release includes the fixes for the e_parse issues introduced with the last release (sorry about that).
It also includes a fix for a small security issue.

I have also done some work on my build system, hopefully now:
All files should pass the File Inspector test now.
Upgrade files no longer contain empty directories.

Link to downloads here: http://e107.org/edownload.php

Changes found here in the changelog

Please let us know if you find any problems, which I'm sure you will

Update:

The Russian Language pack for 0.7.22 has already been completed and can be found here:
http://e107.svn.sourceforge.net/viewvc/e107/trunk/e107_langpacks/zipped_langpacks_utf-8/0.7.22/

Thu, 27 May 2010 13:49:04 -0500

Subscribe to releases mailing list

When creating releases on sourceforge, there used to be an email that was sent to a mailing list, allowing people to be notified of new releases. Well, I can't seem to find that after some sf changes. I'm probably blind.

Because of this, I have created a new userclass on e107,org called 'RELEASES'. If you go to your settings page and add yourself to this userclass, you will be notified of new releases via e107.org (If I remember to send the email).

We will definitely be releasing a new version soon, we have at lease one issue to fix before then, so this will be a good test of the emails.

Mon, 24 May 2010 08:55:54 -0500

hide

e107 Coders.org : Downloads

RSS

Sun, 05 Sep 2010 10:00:52 GMT

EasyShop v1.54

EasyShop version 1.54 is an update release to work with e107 core 0.7.23.

An easy e107 shop plugin with PayPal checkout, PayPal IPN or e-mail checkout.

Features:
- use PayPal or e-mail the order to website administrator
- predefined all 16 PayPal supported currencies
- create unlimited main categories
- create unlimited categories
- set user class to view category
- set user class to purchase from category
- create unlimited categories per main category
- create unlimited products per product category
- Category and Product overview layout: set the number of column and total shown per page
- create unlimited product properties like sizes, colors etc
- create unlimited product discount codes with percentage/price with optional validation on class, dates and promotional codes
- price delta per product property
- various settings display settings
- handling cost per first product
- separate handling cost other same product
- sending costs per product
- separate sending costs other same product
- multiple images per product
- keep track of bookstock (with PayPal IPN only)
- minimum stock level alerts by e-mail
- create downloadable products
- define automatic user class promotion per product (with PayPal IPN only)
- admin decides if buyers can enter directly a number of products or buy one at a time
- attach up to 5 properties per product (size, color etc.)
- attach 1 product discount code per product
- displays random active products in a menu as 'Featured product'
- displays a list of active categories and active products in a menu as 'Product Categories'
- caches selected products during session until user clicks checkout
- customers can maintain their basket before checkout
- checkout directly from the 'Featured product' menu, the basket or category main page
- integrated e107 search functionality
- optional integrated e107 comments functionality for logged in members
- upload of pictures through admin menu
- XHTML 1.1 compliant
- build-in security checks for safe shopping basket
- improved e-mail override handling (customers can leave a note for seller, seller can add additional text to e-mail, e-mail information level)
- templated shop front end

Changelog for EasyShop v1.54:
* Bugs Fixed:
- easyshop.php: fixed clash with e-token functionality of e107 core 0.7.23
- easyshop_class.php: fixed clash with e-token functionality of e107 core 0.7.23
- easyshop_class.php: Finally fix the form close issues once and for all
- easyshop_class.php: fixed new version check location in function getCurrentVersion()
- easyshop_latest_menu.php: fixed clash with e-token functionality of e107 core 0.7.23
- easyshop_specials_menu.php: fixed clash with e-token functionality of e107 core 0.7.23
- easyshop_basket.php: fixed clash with e-token functionality of e107 core 0.7.23
- track_checkout.php: fixed clash with e-token functionality of e107 core 0.7.23
* Minor Changes:
- easyshop_ver.php: adjusted for version 1.54

Thu, 26 Aug 2010 15:59:47 +0300

hide

zFeeder

RSS

Fri, 03 Sep 2010 17:33:10 GMT

1 year.

zFeeder celebrates one year since it's first version.

For all the german speaking people: there is a 3 pages article in INTERNET PROFESSIONELL Magazine, 08/2004, from VNU Business Publications, Deutschland. There is a bigger article dedicated to RSS and zFeeder has an article where it's installing, administering and usage is extensively covered and there is even a short passage about it's wap capabilities. The script is also included on the magazine's listings CD and as far as I know, it's the first magazine to include it on a CD.

Development it's currently on standby, frozen on version 1.6 and will continue as soon as my free time will permit it.

Sun, 12 Sep 2004 08:22:56 -0700

zFeeder 1.6 released

Changes:

- added WAP (wml) support - outputing wml for wap enabled devices;
- fixed a bug when deleting feeds from admin panel, thanks to Felix Rabinovich;
- added alternative login mechanism to admin panel with PHP sessions, thanks to Nicholas from xenomorph.net;
- added a user-agent string for identification when retriving feeds from websites;
- added support for feeds which contain content:encoded items;

Thanks to the people from the forums.

Sun, 25 Apr 2004 11:15:55 -0700

zFeeder 1.5 released

zFeeder 1.5 defines a new field for the template files - a header field which is only included once (at the begining) of zFeeder output and fixes some minor bugs:
- infojunkie javascript (contributed by Thomas Churm);
- a problem with the ampersands in the URLs (Steve from www.dreamlab.ca);

Sun, 18 Apr 2004 05:52:11 -0700